Posted
by
timothy
on Thursday June 19, 2014 @12:33PM
from the seller's-market dept.

msm1267 (2804139) writes Incentivized by a minimal amount of cash, computer users who took part in a study were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment. The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users. The study was released recently in a paper called: "It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice." While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.

"Because the Red Pill VM-detection routine [28] only works reliably on single-CPU
computers, we also collected information on the number of CPUs. Using Red Pill, we
detected the presence of a VM on a single participant’s machine. Examining each partic-
ipants’ process lists, we were able to confirm that this participant was running VMware.
Additionally, we detected VMware Tools running on an additional fifteen machines
(sixteen in total), and Parallels Tools running on a single machine. Thus, we can con-
firm that at least seventeen participants (1.8% of 965) took the precaution of using a
VM to execute our code. Eleven of these participants were in the $1.00 condition, five
were in the $0.50 condition, and one was in the $0.01 condition. The information we
collected on participants’ motherboards was not useful in determining VM usage."

Apparently you weren't the only one who thought so; but the numbers were small. 16 VMware VMs, 1 Parallels (which, since the study required windows to participate, may have been a security measure or may have been a mac user willing to hose his 'everything I need windows for' machine...)

No word, obviously, on anybody who is a bit more subtle about their VM usage; but I'd be shocked if that number is high.

I didn't take part in this little thing. But, I'll mention that I have downloaded malware, intentionally, just to look at it. "Hey, Dad, I found a site that does a driveby installation of crap. Don't go there!" So, I load the site, let it do it's thing, find and decompile the executable, nod my head, and say, "That's pretty slick - I wish they'd find the bastard and castrate him."

It should be noted that almost nothing runs on my locked down Unix-like boxes. Sure, Javascript enabled allows them to hijac

Sure, Javascript enabled allows them to hijack the browser, and take it over, but that doesn't take over the system!

Bad assumption, as you'll find out one day when a privilege escalation attack you weren't aware of succeeds and they pwn you. Hell, a few years back there was a bug with libpng that would allow that just by the browser rendering the image!

I suspect that their implementation wasn't robust enough to resist 'one skilled in the art'; but the researchers did arrange it so that, to get paid, the participant had to download the executable, allow it to run for 60 minutes (the cover story was that it was some sort of distributed computing client software), at which time it would give them a code that they could redeem for the amount of money the Turk job specified.

The software did chat over the network (they were interested to see if people would

Seriously, what kind of idiot would download an unknown executable on his main PC to earn a fucking dollar?

There are plenty of people for whom a dollar is a lot of money. Don't forget, thus was a world wide study - not one limited to your particular country. The paper states that along with running a program, there was a questionnaire (I wonder what languages it was available in, and also what languages the Mechanical Turk posting was wtitten in - surely that is a tremendous skew to the results?) and that 40% of the survey respondents were from India - where english is quite popular (more english speakers than a

So, since purchasing power of the $1 wasn't taken into account, the results are flawed, since the reward will vary so much depending on the wealth of the individuals taking part.

From TFS, "While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1."

So, for $0.01, fewer than 50% of respondents (let's just guess around 45%... I'm not going to bother reading the article, but if it was only 10%, then they wouldn't have said "fiewer than half").And for $0.50, 58%.And for $1, 64%.

People were happy to install ActiveX controls to "Punch the Monkey" in 1998. Nothing has changed since then.

It's also why the Android security model is a complete joke and always has been.

Any security model that requires users to make perfect security decisions is an automatic failure because there is no "undo", so one mistake after 10 years of perfect vigilence owns your entire machine.

Dancing pigs [wikipedia.org] accomplish the same. Actually, more likely even, because people, despite being used to getting free stuff from the internet, are still kinda wary if you actually pay them to do anything.

Less than half for.01, 58% for.50, and 68% for 1.0? Seems like the single penny was the best value, possibly followed by the 50 cents. However, even if we assume "less than half" is as low as 40%, $1 is 10000% more payment for less than a 50% increase!

But the demographics of the downloaders varied with the amount offered. So, at the lowest level there were very few westerners who took the bait. As the reward increased, the proportion grew. If you were planning to use a similar process to grab some confidential or profitable data off the participant's machine, you should take into account the likelihood of poor vs. rich participants' computers having anything you would be looking for.

This was done via the Mechanical Turk, so it's already filtered for people willing to do computery things for money. It would be a different story if this was a random website with the author anonymous.

i think you're missing the point.. it's not about the payout, or the self selected sample.

The takeaway should be that people will be less than cautious when it comes to getting some perceived benefit. That psychology is universal, the only variable being what is sufficient motivation. (free pr0n, free movies/tv shows/music etc, or in this case poor indians and $1.)

What do you think that most of those websites sends you the surveys to fill out for a few cents running ? Flash ? How much do you know about flash, unless you are a web developer of course, to say if what you are downloading is secure enough, not to steal your identity ? Or when you click on coupons.com etc. coupon printer apps the get downloaded. Once you download and run them, you are giving the app, free rein of your computer. Once run, they are no longer governed by the security controls of your browse

Thank you. I've wanted to run an experiment like this for years, but couldn't figure out to get a good sample audience.

The result is completely non-surprising. Security Awareness training is 90% pointless waste of money, and I regularily make enemies at conferences when I say it, because there's a ton of money in this snake oil, mostly because you can repeat it ad infinitum, once you've sold a client you can do one every year or twice a year or even get a whole "ongoing awareness process" going.

When I read the paper, I didn't see anything to suggest a date after 2010. And as the paper says, this only covers workstation computers - Windows/XP through Windows/7. No tablets or smart-phones, or other app-store like environments.

I suspect that if anything, current behavior - influenced by app-store like environments - is even worse. You could probably get someone to run your mystery app just by promising them access to another mystery app.

There's a fairly decent community of people who make money using Mturk. They've been doing these types of jobs for years now and have systems in place to stop malware, generally through a blacklisting process. There is also a widely accepted rule that low paying work is to be shunned - nobody wants to work for a sweatshop, whether it be online or otherwise. The general lowest people will work for is 10 cents a minute. It's very much like a union, people depend on Mturk for money and want to make the most ou